Users cannot remotely connect to a domain controller that is protected with the Windows Logon Agent via RDP

Issue

Users who do not have the "Log On Locally" right cannot remotely connect to a computer that is protected with the Windows Logon Agent via RDP, even if they have the correct permissions for a network logon.

Cause

The Windows Logon Agent and Windows Credential Provider handles remote connections to a domain controller as a local logon process. Whether a session is local or remote, it will require local connection privileges.